Network intrusion refers to any unauthorized activity on a digital network. Network intrusions often involve stealing valuable network resources and always jeopardize the security of networks and/or their data. Intrusion detection and prevention are two broad terms describing application security practices used to mitigate attacks and block new threats.
Intrusion Detection System (IDS) is a detective device designed to detect malicious (including policy-violating) actions. They work by passively monitoring (or actively gating, in the NIPS case) network traffic and applying rules or signatures to trigger alerts.
There are various types of IDS which are described below-
- Network intrusion detection systems (NIDS): A system that analyzes incoming network traffic.
- Host-based intrusion detection systems (HIDS): A system that monitors important operating system files
- Signature-based: Signature-based IDS may detect an attack/intrusion if Attack’s signature is already stored in the internal database. These systems can detect known attacks very accurately and this is the reason why they are widely used in the industry
- Anomaly-based: Anomaly-based detection tries to recognize malicious behavior. It needs the previous creation of profiles for defining the normal behavior of users, hosts, or networks. Therefore, the required data is collected and stored in a database during the normal operation.
Intrusion prevention system (IPS) is a network security and threat prevention tool. An IPS prevents attacks by dropping malicious packets, blocking offending IPs and alerting security personnel to potential threats. Intrusion prevention systems work by scanning all network traffic. There are a number of different threats that an IPS is designed to prevent, which are Denial of Service (DoS) attack, Distributed Denial of Service (DDoS) attack, Various types of exploits, Worms, Viruses. Intrusion prevention systems come in four primary types:
- Network-based: Protect your computer network
- Wireless: Protect wireless networks only
- Network behavior: Examine network traffic
- Host-based: Come as installed software to protect a single computer.
IDS and IPS are related, and often conflated, but they’re fairly different at a basic level. Intrusion detection is a form of passive network monitoring, in which traffic is examined at a packet level and results of the analysis are logged. Intrusion prevention, on the other hand, is a more proactive approach, in which problematic patterns lead to direct action by the solution itself to fend off a breach. IDS are software tools made to detect and monitor network traffic. Both IPS and IDS tools will read network packets and compare their contents with known threats. However, IDS differs in what actions are taken next. An IDS tool will not take any action on its own. An IDS requires a human to analyze results and make decisions on what to do next. This is why IPS is seen as an extension to IDS. The IDS and IPS both are necessary because these devices employ technology, which analyses traffic flows to the protected resource in order to detect and prevent exploits or other vulnerability issues.
The choice between IDS and IPS technologies comes down to the use cases, IT budget, compliance requirements, network architecture and the overall security strategies, among other factors. IDS solutions can help your organizations evaluate the internal user behavior as well as potential threats originating from the outside.
An IPS technology can also be used to address these problems by preventing unauthorized network activities by itself, but the role of the technology must align with the organization’s security strategy in thwarting these risk vectors. Organizations should choose a logical IDS / IPS approach that will pair well with their context, as well as interoperate with other elements of the total security infrastructure.